data/reports: add GO-2023-2113.yaml
Aliases: CVE-2022-21698, CVE-2023-25151, CVE-2023-45142, GHSA-5r5m-65gx-7vrh, GHSA-cg3q-j54f-5p7p
Fixes golang/vulndb#2113
Change-Id: I07a9bf749be5714572a13d962ea37a5455b5dd9e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/535155
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2023-2113.json b/data/osv/GO-2023-2113.json
new file mode 100644
index 0000000..9dd6414
--- /dev/null
+++ b/data/osv/GO-2023-2113.json
@@ -0,0 +1,254 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2023-2113",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2023-45142",
+ "GHSA-rcjv-mgp8-qvmr"
+ ],
+ "summary": "Memory exhaustion in github.com/open-telemetry/opentelemetry-go-contrib",
+ "details": "Memory exhaustion in github.com/open-telemetry/opentelemetry-go-contrib",
+ "affected": [
+ {
+ "package": {
+ "name": "go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.44.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful/internal/semconvutil",
+ "symbols": [
+ "HTTPClientRequest",
+ "HTTPServerRequest",
+ "httpConv.ClientRequest",
+ "httpConv.ServerRequest",
+ "httpConv.proto"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.44.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin/internal/semconvutil",
+ "symbols": [
+ "HTTPClientRequest",
+ "HTTPServerRequest",
+ "httpConv.ClientRequest",
+ "httpConv.ServerRequest",
+ "httpConv.proto"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.44.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux/internal/semconvutil",
+ "symbols": [
+ "HTTPClientRequest",
+ "HTTPServerRequest",
+ "httpConv.ClientRequest",
+ "httpConv.ServerRequest",
+ "httpConv.proto"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "go.opentelemetry.io/contrib/instrumentation/github.com/labstack/echo/otelecho",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.44.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "go.opentelemetry.io/contrib/instrumentation/github.com/labstack/echo/otelecho/internal/semconvutil",
+ "symbols": [
+ "HTTPClientRequest",
+ "HTTPServerRequest",
+ "httpConv.ClientRequest",
+ "httpConv.ServerRequest",
+ "httpConv.proto"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "go.opentelemetry.io/contrib/instrumentation/gopkg.in/macaron.v1/otelmacaron",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.44.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "go.opentelemetry.io/contrib/instrumentation/gopkg.in/macaron.v1/otelmacaron/internal/semconvutil",
+ "symbols": [
+ "HTTPClientRequest",
+ "HTTPServerRequest",
+ "httpConv.ClientRequest",
+ "httpConv.ServerRequest",
+ "httpConv.proto"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.44.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace/internal/semconvutil",
+ "symbols": [
+ "HTTPClientRequest",
+ "HTTPServerRequest",
+ "httpConv.ClientRequest",
+ "httpConv.ServerRequest",
+ "httpConv.proto"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.44.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",
+ "symbols": [
+ "middleware.serveHTTP"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2023-2113"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2023-2113.yaml b/data/reports/GO-2023-2113.yaml
new file mode 100644
index 0000000..6a26fff
--- /dev/null
+++ b/data/reports/GO-2023-2113.yaml
@@ -0,0 +1,96 @@
+id: GO-2023-2113
+modules:
+ - module: go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful
+ versions:
+ - fixed: 0.44.0
+ vulnerable_at: 0.43.0
+ packages:
+ - package: go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful/internal/semconvutil
+ symbols:
+ - httpConv.proto
+ derived_symbols:
+ - HTTPClientRequest
+ - HTTPServerRequest
+ - httpConv.ClientRequest
+ - httpConv.ServerRequest
+ - module: go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin
+ versions:
+ - fixed: 0.44.0
+ vulnerable_at: 0.43.0
+ packages:
+ - package: go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin/internal/semconvutil
+ symbols:
+ - httpConv.proto
+ derived_symbols:
+ - HTTPClientRequest
+ - HTTPServerRequest
+ - httpConv.ClientRequest
+ - httpConv.ServerRequest
+ - module: go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux
+ versions:
+ - fixed: 0.44.0
+ vulnerable_at: 0.43.0
+ packages:
+ - package: go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux/internal/semconvutil
+ symbols:
+ - httpConv.proto
+ derived_symbols:
+ - HTTPClientRequest
+ - HTTPServerRequest
+ - httpConv.ClientRequest
+ - httpConv.ServerRequest
+ - module: go.opentelemetry.io/contrib/instrumentation/github.com/labstack/echo/otelecho
+ versions:
+ - fixed: 0.44.0
+ vulnerable_at: 0.43.0
+ packages:
+ - package: go.opentelemetry.io/contrib/instrumentation/github.com/labstack/echo/otelecho/internal/semconvutil
+ symbols:
+ - httpConv.proto
+ derived_symbols:
+ - HTTPClientRequest
+ - HTTPServerRequest
+ - httpConv.ClientRequest
+ - httpConv.ServerRequest
+ - module: go.opentelemetry.io/contrib/instrumentation/gopkg.in/macaron.v1/otelmacaron
+ versions:
+ - fixed: 0.44.0
+ vulnerable_at: 0.43.0
+ packages:
+ - package: go.opentelemetry.io/contrib/instrumentation/gopkg.in/macaron.v1/otelmacaron/internal/semconvutil
+ symbols:
+ - httpConv.proto
+ derived_symbols:
+ - HTTPClientRequest
+ - HTTPServerRequest
+ - httpConv.ClientRequest
+ - httpConv.ServerRequest
+ - module: go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
+ versions:
+ - fixed: 0.44.0
+ vulnerable_at: 0.43.0
+ packages:
+ - package: go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace/internal/semconvutil
+ symbols:
+ - httpConv.proto
+ derived_symbols:
+ - HTTPClientRequest
+ - HTTPServerRequest
+ - httpConv.ClientRequest
+ - httpConv.ServerRequest
+ - module: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
+ versions:
+ - fixed: 0.44.0
+ vulnerable_at: 0.43.0
+ packages:
+ - package: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
+ symbols:
+ - middleware.serveHTTP
+summary: Memory exhaustion in github.com/open-telemetry/opentelemetry-go-contrib
+cves:
+ - CVE-2023-45142
+ghsas:
+ - GHSA-rcjv-mgp8-qvmr
+references:
+ - advisory: https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr
+ - fix: https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277
